The dust is settling on the Mythos announcement. CISOs have read the coverage, their peers are texting about it, and now the harder conversation is starting: what do we tell the board?
This past Sunday, the Cloud Security Alliance published "The AI Vulnerability Storm: Building a Mythos-Ready Security Program,” a strategy briefing assembled by a coalition that includes former CISA Director Jen Easterly, Bruce Schneier, former National Cyber Director Chris Inglis, Google CISO Heather Adkins, and dozens of active CISOs across sectors. (Rich Mogull’s companion analysis is also worth reading.)
Our own Max Kovalsky, Managing Director of Consortium's AI Security Center of Excellence, contributed to the report, most visibly in the section on executive and board communication. That’s the part designed to help CISOs translate this shift into a conversation their leadership team can act on.
The framing that matters
"This is a permanent acceleration, not a temporary spike," Kovalsky says. "AI compresses the time between a vulnerability existing and causing business disruption from weeks to hours. That's the sentence that needs to land in a board room."
The report frames AI as a dual-force problem. The same capability that makes attackers faster lets defenders find and fix their own weaknesses first: review code at machine speed, respond to incidents faster than any human team alone. But only if the organization fundamentally reexamines how it approaches cybersecurity.
Kovalsky’s advice to CISOs preparing board updates: connect security to the business case for AI, not just the threat.
“AI at the capability level demonstrated by Mythos is already transforming how organizations operate, compressing development cycles, accelerating time to market. Your business is pursuing that value, and it should be. But those same capabilities have compressed the time to a serious incident from weeks to hours, and that gap will keep narrowing. Turned inward, these tools let us find and fix our own problems first. Without changes on the security side, you move faster as a business but carry more risk with every step.”
Lead with what you’ve already built. “The security program your organization has funded is what makes adaptation possible. Defense-in-depth, segmentation, identity controls: they’re more valuable now, not less. What’s changed is the speed and volume those controls need to absorb." That framing avoids the two board-conversation failure modes: triggering panic, or getting a shrug.
What the board will ask
The report includes a structured 90-day action plan. But in practice, CISOs won’t get to present it before they field questions. Here are the ones CISOs may be expected to hear the most:
“Are we exposed?” "Yes, and so is everyone else. The question isn’t whether you’re exposed. It’s whether your team is ready for the patch volume about to land from 40+ Glasswing vendors like Broadcom, Cisco, Palo Alto, and Microsoft."
“Could someone use this against us today?” “Mythos isn’t public, but the capability to find and exploit vulnerabilities with AI is already strong. Opus 4.6, which is publicly available today, scores 66.6% on vulnerability reproduction benchmarks. Mythos scores 83.1%.”
“Do we need to spend more?” “Probably. The report ties the ask to surge capacity for patch volume, AI tooling for defensive scanning, and faster procurement cycles. You can project the workload in hours and FTEs from Glasswing disclosures alone.”
“Is this the new normal?” “Mythos is the first of many waves, and in many ways the new normal is already here. Build for the next capability jump, not just this one.”
Getting security teams to actually use AI agents
The report recommends formalizing AI agent usage across all security functions. The reality is that security practitioners are professional skeptics. Asking them to trust a technology they know hallucinates isn't a policy change, it's a culture one.
“Mandates produce compliance theater,” Kovalsky says. “What works is making your most skeptical practitioner the evaluator. Give them the job of finding where the agent fails on your codebase. They have to use the tool to do that, and they come away with an informed opinion instead of a reflexive one.”
Start with the work nobody’s career depends on: audit evidence collection, low-severity triage, drafting incident timelines from log data. Let adoption spread unevenly. “One analyst who cuts a two-day evidence task to three hours does more for adoption than any policy memo.”
VulnOps: democratize vulnerability management
The Mythos-Ready report introduces VulnOps as a permanent organizational capability. That’s the recognition that AI-driven vulnerability discovery isn’t a project with an end date but rather a standing function. Use this moment to do something the industry has talked about for years but never had the tooling to execute: actually shift left on vulnerability management.
AI agents make it possible for developers, DevOps engineers, and platform teams to run meaningful security analysis on their own code, in their own workflows, without routing everything through a centralized security team that's already at capacity. The security team’s role shifts from bottleneck to enabler: defining policy, tuning agents, validating findings, and focusing their expertise on the complex chained vulnerabilities and architecture-level risks that still require deep human judgment.
"The report says using a coding agent is now easier than using Excel," Kovalsky notes. "That’s not an exaggeration. If your developers can prompt an agent to review a pull request for security issues before it ships, you’ve just distributed vulnerability management across every engineering team in the org. That’s how you absorb the volume Mythos represents without burning out your security staff."
This is what VulnOps looks like in practice: not a bigger security team doing the same work faster, but a broader organizational capability where security expertise is encoded into agent workflows and vulnerability management becomes everyone’s job, with the security team as the center of gravity, not the single point of failure.
Making the case for surge capacity
The report is clear that security teams probably need additional headcount and budget to absorb what’s coming. Here's how Kovalsky advises clients to make that case land:
“Anchor to the patch volume, not the threat narrative. CFOs respond to operational load. ‘AI is making attacks more sophisticated’ doesn't move budget. A projected 3x increase in critical patch volume over 90 days does."
Frame the ask as surge capacity, not permanent headcount. Think 90-day contractor engagements. “You’re asking for a defined sprint with a review point. If the volume stays elevated, you’ll have data to justify converting.” For organizations that report risk formally -- if the assumptions behind your risk metrics have changed, that’s a governance question, and most CFOs engage faster with governance than with operations.
What comes next
“The question isn't whether to act,” Kovalsky says. “It’s whether you walk into the board room with a plan or an apology.”
Consortium’s AI Security Center of Excellence is helping clients build tailored executive AI risk briefings, connecting the Mythos-era threat landscape to their specific security posture, existing investments, and a concrete action plan. If that conversation is coming for you, reach out to your account team.
About Consortium
Consortium is the industry’s first cybersecurity and networking value-added reseller, combining strategic advisory, vendor-agnostic procurement, and concierge-level support into a single, client-centric model. Through its NextGen VAR approach, Consortium unifies holistic security strategy, proactive risk management, and simplified vendor oversight to deliver measurable business outcomes — resetting the standard for how organizations protect and enable their business. Leveraging its proprietary Metrics that Matter® (MTM®) platform, Consortium translates technical security data into business-ready insights, empowering executives and boards to make informed, financially grounded decisions while continuously improving security posture. Learn more at www.consortium.net.
